How I would tweak WordFence settings on a WordPress Blog
Website security is very important these days. Word of advice, don’t take security into your own hands, let professionals help you out. There are many solutions available to you out there, but lately WordFence has been my favorite (plus, I just like to read their blogs and watch their YouTube channel)
Out of the box, the default installation will work for most users. They have a Premium option and a Free option, of course the premium has more features like live updates to their blocking algorithms. I have used the free version and was very satisfied with the default settings. The free version seems to get most of the premium updates 30 days later unless their teams feel something is very important to protect all their free users sooner.
To be clear, I am in no way an authority on this topic and I choose to use knowledge gained from reading the WordFence blogs and watching their videos. They are very helpful so use their documentation before even considering options that I have chosen to adjust.
My first adjustment is Brute Force Protection settings
Since I am the only user on my systems (for the most part), I don’t mind setting my brute force protection settings to be at the extreme end to quickly lock people out that attempt various login attempts. (Note: I have also added two of my normal IP address locations to the whitelist but not sure if that helps or not as I have not tested)
- For the lockout after a number of login failures I put at the lowest (quickest) setting of 2 times attempted (see the count period)
- Lockout after how many forgot password attempts I put at lowest setting of once (well, because I don’t forget my passwords thanks to password managers)
- Then count failures over what time frame I choose the longest setting of 1 day in case of multiple attempts in one day
- Then I lock them out for at least 2 months by default (the longest period)
My next adjustment due to recent high xmlrpc attempts
Lately though, it seems that three of my sites were getting high numbers of xmlrpc.php attempts every day. So I did a little research and realized that since I don’t use any third party software like JetPack or anything else to log into my website, I can turn this feature off.
It is not recommended by the WordPress community to just delete this file from what I have read, but the WordFence security plugin does allow you to block all incoming xmlrpc attempts under Login Security settings.
Once I checked this box, it appears I am no longer seeing failed login attempts using xmlrpc.php.
A final useless attempt to add extra blocks
One thing WordFence allows you to do is see the recent attacks against you site with details about the IP address and computer name they come from. You also have the ability from that view to click the “Block IP” button to add that IP to your block list for the 2 month duration that I set above under my first adjustments.
As you can see from my image, WordFence already caught this attempt and blocked it at the time, but if I want to continue to block all access to that IP for the specified duration I can go ahead and add it at this time. This is really just an extra waste of time probably, but it does give me a feeling of slight control and satisfaction.
I usually let all the blocks expire after the 2 month period, except right now on three of my sites I add each to the Permanent block list and will determine later when I will remove them. I know that likely most I have added to the block list are one time hits, but i have seen several that come back a week or two later and try again. I know I could never block enough addresses on my own because these hackers are bouncing off tens of thousands of IP addresses all over the world (probably a lot of TOR servers too). But then again, its more of a personal satisfaction feeling that I am at least trying something.
Time will tell, and maybe I will follow up later with results. However, after three months of daily monitoring, three out of about 10 websites i manage are hit daily and hit often.